The Hacker News — Cyber Security, Hacking, Technology News

Almost two months after releasing details of 23 different secret CIA hacking tool projects under Vault 7 series, Wikileaks today announced a new Vault 8 series that will reveal source codes and information about the backend infrastructure developed by the CIA hackers.

Not just announcement, but the whistleblower organisation has also published its first batch of Vault 8 leak, releasing source code and development logs of Project Hive—a significant backend component the agency used to remotely control its malware covertly.

In April this year, WikiLeaks disclosed a brief information about Project Hive, revealing that the project is an advanced command-and-control server (malware control system) that communicates with malware to send commands to execute specific tasks on the targets and receive exfiltrated information from the target machines.

Hive is a multi-user all-in-one system that can be used by multiple CIA operators to remotely control multiple malware implants used in different operations.

Hive’s infrastructure has been specially designed to prevent attribution, which includes a public facing fake website following multi-stage communication over a Virtual Private Network (VPN).

"Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet," WikiLeaks says.

As shown in the diagram, the malware implants directly communicate with a fake website, running over commercial VPS (Virtual Private Server), which looks innocent when opened directly into the web browser.

However, in the background, after authentication, the malware implant can communicate with the web server (hosting fake website), which then forwards malware-related traffic to a "hidden" CIA server called 'Blot' over a secure VPN connection.

The Blot server then forwards the traffic to an implant operator management gateway called 'Honeycomb.'

In order to evade detection by the network administrators, the malware implants use fake digital certificates for Kaspersky Lab.

"Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities," WikiLeaks says.

"The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town."

The whistleblowing organisation has released the source code for Project Hive which is now available for anyone, including investigative journalists and forensic experts, to download and dig into its functionalities.

The source code published in the Vault 8 series only contains software designed to run on servers controlled by the CIA, while WikiLeaks assures that the organisation will not release any zero-day or similar security vulnerabilities which could be abused by others.

WikiLeaks has just published another Vault 7 leak, revealing how the CIA spies on their intelligence partners around the world, including FBI, DHS and the NSA, to covertly collect data from their systems.

The CIA offers a biometric collection system—with predefined hardware, operating system, and software—to its intelligence liaison partners around the world that helps them voluntary share collected biometric data on their systems with each other.

But since no agency share all of its collected biometric data with others, the Office of Technical Services (OTS) within CIA developed a tool to secretly exfiltrate data collections from their systems.

Dubbed ExpressLane, the newly revealed CIA project details about the spying software that the CIA agents manually installs as part of a routine upgrade to the Biometric system.

The leaked CIA documents reveal that the OTS officers, who maintain biometric collection systems installed at liaison services, visit their premises and secretly install ExpressLane Trojan while displaying an "upgrade Installation screen with a progress bar that appears to be upgrading the biometric software."

"It will overtly appear to be just another part of this system. It’s called: MOBSLangSvc.exe and is stored in \Windows\System32," leaked CIA documents read.

"Covertly it will collect the data files of interest from the liaison system and store them encrypted in the covert partition on a specially watermarked thumb drive when it is inserted into the system."

ExpressLane includes two components:

Create Partition — This utility allows agents to create a covert partition on the target system where the collected information (in compressed and encrypted form) will be stored.

Exit Ramp — This utility lets the agents steal the collected data stored in the hidden partition using a thumb drive when they revisit.

The latest version ExpressLane 3.1.1 by default removes itself after six months of the installation in an attempt to erase its footprints, though the OTA officers can change this date.

The biometric software system that CIA offers is based on a product from Cross Match, a US company specialized in biometric software for law enforcement and the intelligence community, which was also used to "identify Osama bin Laden during the assassination operation in Pakistan."

Previous Vault 7 CIA Leaks

Last week, WikiLeaks published another CIA project, dubbed CouchPotato, which revealed the CIA's ability to spy on video streams remotely in real-time.

Since March, WikiLeaks has published 21 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

Dumbo — A CIA project that disclosed the CIA's ability to hijack and manipulate webcams and microphones to corrupt or delete recordings.

Imperial — A CIA project that revealed details of at least 3 CIA-developed hacking tools and implants designed to target computers running Apple Mac OSX and different flavours of Linux OS.

UCL/Raytheon — An alleged CIA contractor, who analysed in-the-wild malware and hacking tools and submitted at least five reports to the spying agency for help it developed its malware.

Brutal Kangaroo – A Microsoft Windows tool suite used by the agents to target closed networks or air-gap PCs within an organisation or enterprise without requiring any direct access.

Cherry Blossom – A CIA framework employed by its agents to monitor the Internet activity of the target systems by exploiting bugs in Wi-Fi devices.

Pandemic – A CIA project that let the spying agency turn Windows file servers into covert attack machines that can silently infect other systems of interest inside the same network.

Athena – A spyware framework that the US secretive agency uses to take full control of the infected Windows machines remotely and works against every version of Windows operating system–from Windows XP to Windows 10.

AfterMidnight and Assassin – Two alleged CIA malware frameworks for the Windows platform that's designed to monitor and report back actions on the infected remote host system and execute malicious actions.

Archimedes – Man-in-the-middle attack tool allegedly developed by the US agency to target systems inside a Local Area Network (LAN).

Scribbles – Software allegedly designed to embed 'web beacons' into confidential documents, allowing the agents to track insiders and whistleblowers.

Grasshopper – A framework that let the spying agency easily create its custom malware for breaking into Microsoft Windows and bypassing antiviruses.

Marble – Source code of a secret anti-forensic tool used by the US agency to hide the actual source of its malicious payload.

Dark Matter – Hacking exploits the US spying agency designed and used to target iPhones and Macs.

Weeping Angel – A spying tool used by the CIA agents to infiltrate smart TV's and transform them into covert microphones.

After disclosing CIA's strategies to hijack and manipulate webcams and microphones to corrupt or delete recordings, WikiLeaks has now published another Vault 7 leak, revealing CIA's ability to spy on video streams remotely in real-time.

Dubbed 'CouchPotato,' document leaked from the CIA details how the CIA agents use a remote tool to stealthy collect RTSP/H.264 video streams.

Real Time Streaming Protocol, or RTSP, is a network control protocol designed for use in entertainment and communication systems for controlling streaming media servers.

CouchPotato gives CIA hackers ability to "collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame," a leaked CIA manual reads.

The tool utilises FFmpeg for video and image encoding and decoding and Real Time Streaming Protocol connectivity.

The CouchPotato tool works stealthily without leaving any evidence on the targeted systems because it has been designed to support ICE v3 "Fire and Collect" loader, which is an in-memory code execution (ICE) technique that runs malicious code without the module code being written to the disk.

However, neither Wikileaks nor the leaked user guide details how the agency penetrates into the targeted systems at the first place, but since the publication has previously leaked many CIA malware, exploits and hacking tools to get into a network, the agency might have been using CouchPotato in combining with other tools.

Previous Vault 7 CIA Leaks

Since March, WikiLeaks has published 20 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

In last 20 years, we have seen hundreds of caper/heist movies where spies or bank robbers hijack surveillance cameras of secure premises to either stop recording or set up an endless loop for covert operations without leaving any evidence.

Whenever I see such scenes in a movie, I wonder and ask myself: Does this happen in real-life?

Yes, it does, trust me—at least CIA agents are doing this.

WikiLeaks has just unveiled another classified CIA project, dubbed 'Dumbo,' which details how CIA agents hijack and manipulate webcams and microphones in Hollywood style "to gain and exploit physical access to target computers in CIA field operations."

The Dumbo CIA project involves a USB thumb drive equipped with a Windows hacking tool that can identify installed webcams and microphones, either connected locally, wired or wirelessly via Bluetooth or Wi-Fi.

Once identified, the Dumbo program allows the CIA agents to:

Mute all microphones

Disables all network adapters

Suspends any processes using a camera recording device

Selectively corrupted or delete recordings

However, there are two dependencies for a successful operation:

Dumbo program requires SYSTEM level privilege to run.

The USB drive must remain plugged into the system throughout the operation to maintain control over connected surveillance devices.

This project is being used by the CIA's Physical Access Group (PAG)—a special branch within the Center for Cyber Intelligence (CCI) which is tasked to gain and exploit physical access to target computers in CIA field operations.

Previous Vault 7 CIA Leaks

Last week, WikiLeaks published another CIA project, dubbed 'Imperial,' which revealed details of at least 3 CIA-developed hacking tools and implants designed to target computers running Apple Mac OS X and different flavours of Linux operating systems.

Since March, WikiLeaks has published 19 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

UCL/Raytheon — An alleged CIA contractor, which analysed in-the-wild advanced malware and hacking tools and submitted at least 5 reports to the agency for help it develop its own malware.

WikiLeaks has just published a new set of classified documents linked to another CIA project, dubbed 'Imperial,' which reveals details of at least three CIA-developed hacking tools and implants designed to target computers running Apple Mac OS X and different flavours of Linux operating systems.

If you are a regular reader of THN, you must be aware that this latest revelation by the whistleblower organisation is the part of an ongoing CIA-Vault 7 leaks, marking it as the 18th batch in the series.

If you are unaware of the Vault 7 leaks, you can head on to the second of this article for having a brief look on all the leaks at once.

Achilles — Tool to Backdoor Mac OS X Disk Images

The binding tool, the shell script is written in Bash, gives the CIA operators "one or more desired operator specified executables" for a one-time execution.

As soon as an unsuspecting user downloads an infected disk image on his/her Apple computer, opens and installs the software, the malicious executables would also run in the background.

Afterwards, all the traces of the Achilles tool would be "removed securely" from the downloaded application so that the file would "exactly resemble" the original legitimate app, un-trojaned application, making it hard for the investigators and antivirus software to detect the initial infection vector.

Achilles v1.0, developed in 2011, was only tested on Mac OS X 10.6, which is Apple's Snow Leopard operating system that the company launched in 2009.

SeaPea — Stealthy Rootkit For Mac OS X Systems

The second hacking tool, called SeaPea, is a Mac OS X Rootkit that gives CIA operators stealth and tool launching capabilities by hiding important files, processes and socket connections from the users, allowing them to access Macs without victims knowledge.

The rootkit requires root access to be installed on a target Mac computer and cannot be removed unless the startup disk is reformatted or the infected Mac is upgraded to the next version of the operating system.

Aeris — An Automated Implant For Linux Systems

The third CIA hacking tool, dubbed Aeris, is an automated implant written in C programming language that is specifically designed to backdoor portable Linux-based Operating Systems, including Debian, CentOS, Red Hat — along with FreeBSD and Solaris.

Aeris is a builder that CIA operators can use to generate customised impacts, depending upon their covert operation.

"It's compatible with the NOD Cryptographic Specification and provides structured command and control that's similar to that used by several Windows implants."

Previous Vault 7 CIA Leaks

Last week, WikiLeaks revealed about CIA contractor Raytheon Blackbird Technologies, which analysed in-the-wild advanced malware and hacking techniques and submitted at least five reports to the agency for help develop their own malware.

Since March, the whistle-blowing group has published 18 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

Highrise Project — the alleged CIA project that allowed the spying agency to stealthy collect and forwarded stolen data from compromised smartphones to its server through SMS messages.

BothanSpy and Gyrfalcon — two alleged CIA implants that allowed the spying agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux operating systems using different attack vectors.

OutlawCountry – An alleged CIA project that allowed it to hack and remotely spy on computers running the Linux operating systems.

Brutal Kangaroo – A tool suite for Microsoft Windows used by the agency to targets closed networks or air-gapped computers within an organization or enterprise without requiring any direct access.

Cherry Blossom – An agency's framework, basically a remotely controllable firmware-based implant, used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.

Pandemic – A CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.

Athena – A CIA's spyware framework that has been designed to take full control over the infected Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.

AfterMidnight and Assassin – Two alleged CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.

Archimedes – Man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).

Scribbles – A piece of software reportedly designed to embed 'web beacons' into confidential documents, allowing the agency to track insiders and whistleblowers.

WikiLeaks has today published the 16th batch of its ongoing Vault 7 leak, this time instead of revealing new malware or hacking tool, the whistleblower organisation has unveiled how CIA operatives stealthy collect and forward stolen data from compromised smartphones.

Previously we have reported about several CIA hacking tools, malware and implants used by the agency to remotely infiltrate and steal data from the targeted systems or smartphones.

However, this time neither Wikileaks nor the leaked CIA manual clearly explains how the agency operatives were using this tool.

But, since we have been covering every CIA leak from the very first day, we have understood a possible scenario and have illustrated how this newly revealed tool was being used.

Explained: How CIA Highrise Project Works

In general, the malware uses the internet connection to send stolen data after compromising a machine to the attacker-controlled server (listening posts), but in the case of smartphones, malware has an alternative way to send stolen data to the attackers i.e. via SMS.

But for collecting stolen data via SMS, one has to deal with a major issue – to sort and analyse bulk messages received from multiple targeted devices.

To solve this issue, the CIA created a simple Android application, dubbed Highrise, which works as an SMS proxy between the compromised devices and the listening post server.

"There are a number of IOC tools that use SMS messages for communication and HighRise is a SMS proxy that provides greater separation between devices in the field ("targets") and the listening post" by proxying ""incoming" and "outgoing" SMS messages to an internet LP," the leaked CIA manual reads.

What I understood after reading the manual is that CIA operatives need to install an application called "TideCheck" on their Android devices, which are set to receive all the stolen data via SMS from the compromised devices.

The last known version of the TideCheck app, i.e. HighRise v2.0, was developed in 2013 and works on mobile devices running Android 4.0 to 4.3, though I believe, by now, they have already developed an updated versions that work for the latest Android OS.

Once installed, the app prompts for a password, which is "inshallah," and after login, it displays three options:

Initialize — to run the service.

Show/Edit configuration — to configure basic settings, including the listening post server URL, which must be using HTTPS.

Once initialized and configured properly, the app continuously runs in the background to monitor incoming messages from compromised devices; and when received, forwards every single message to the CIA's listening post server over a TLS/SSL secured Internet communication channel.

Previous Vault 7 CIA Leaks

Last week, WikiLeaks dumped two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux operating systems using different attack vectors.

Brutal Kangaroo – A tool suite for Microsoft's Windows used by the spying agency to target closed networks or air-gapped computers within an organisation or enterprise without requiring any direct access.

Cherry Blossom – An agency's framework used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.

Pandemic – A CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.

Athena – An agency's spyware framework that has been developed to take full control of the infected Windows machines remotely, and works for every version of Microsoft's Windows operating systems, from XP to Windows 10.

AfterMidnight and Assassin – Two CIA malware frameworks for the Windows platform that has been designed to monitor activities on the infected remote host computer and execute malicious actions.

Archimedes – Man-in-the-middle attack tool allegedly developed by the CIA to target computers inside a Local Area Network (LAN).

Scribbles – Software reportedly designed to embed 'web beacons' into confidential documents, allowing the agency to track insiders and whistleblowers.

WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors.

Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network.

Gyrfalcon — Implant for Linux OS

Gyrfalcon is also capable of collecting full or partial OpenSSH session traffic, and stores stolen information in an encrypted file for later exfiltration.

"The tool runs in an automated fashion. It is configured in advance, executed on the remote host and left running," the user manual of Gyrfalcon v1.0 reads.

"Sometime later, the operator returns and commands gyrfalcon to flush all of its collection to disk. The operator retrieves the collection file, decrypts it, and analyzes the collected data."

The user manual for Gyrfalcon v2.0 says that the implant is consist of "two compiled binaries that should be uploaded to the target platform along with the encrypted configuration file."

"Gyrfalcon does not provide any communication services between the local operator computer and target platform. The operator must use a third-party application to upload these three files to the target platform."

Previous Vault 7 CIA Leaks

Last week, WikiLeaks dumped a classified CIA project that allowed the spying agency to hack and remotely spy on PCs running the Linux operating systems.

Brutal Kangaroo – A tool suite for Microsoft Windows used by the agency to targets closed networks or air-gapped computer systems within an organization or enterprise without requiring any direct access.

Cherry Blossom – An agency's framework, basically a remotely controllable firmware-based implant, used for spying on the Internet activity of the targeted systems by exploiting flaws in WiFi devices.

Pandemic – The agency's project that let it turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.

Athena – A spyware framework that has been designed by CIA to take full control over the infected Windows machines remotely, and works against every version of Windows OS, from Windows XP to Windows 10.

AfterMidnight and Assassin – Two alleged CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor actions on the infected remote host computer and execute malicious actions.

Archimedes – Man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).

WikiLeaks has just published a new batch of the ongoing Vault 7 leak, this time detailing an alleged CIA project that allowed the agency to hack and remotely spy on computers running the Linux operating systems.

Dubbed OutlawCountry, the project allows the CIA hackers to redirect all outbound network traffic on the targeted computer to CIA controlled computer systems for exfiltrate and infiltrate data.

The OutlawCountry Linux hacking tool consists of a kernel module, which the CIA hackers load via shell access to the targeted system and create a hidden Netfilter table with an obscure name on a target Linux user.

"The new table allows certain rules to be created using the "iptables" command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known. When the Operator removes the kernel module, the new table is also removed," CIA's leaked user manual reads.

Although the installation and persistence method of the OutlawCountry tool is not described in detail in the document, it seems like the CIA hackers rely on the available CIA exploits and backdoors to inject the kernel module into a targeted Linux operating system.

However, there are some limitations to using the tool, such as the kernel modules only work with compatible Linux kernels.

"OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain," WikiLeaks says.

Previous Vault 7 CIA Leaks

Dubbed ELSA, the malware captures the IDs of nearby public hotspots and then matches them with the global database of public Wi-Fi hotspots' locations.

Since March, the whistleblowing group has published 14 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

Brutal Kangaroo – a CIA tool suite for Microsoft Windows that targets closed networks or air-gapped computers within an enterprise or organization without requiring any direct access.

Cherry Blossom – a CIA's framework, generally a remotely controllable firmware-based implant, used for monitoring the Internet activity of the target systems by exploiting flaws in WiFi devices.

Pandemic – a CIA's project that allowed the spying agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.

Athena – an agency's spyware framework that has been designed to take full control over the infected Windows machines remotely, and works with every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.

AfterMidnight and Assassin – Two apparent CIA's malware frameworks for the Microsoft Windows platform that is meant to monitor and report back actions on the infected remote host computer and execute malicious code.

Archimedes – A man-in-the-middle attack tool allegedly built by the spying agency to target computers inside a Local Area Network (LAN).

Scribbles – A piece of software reportedly designed to embed 'web beacons' into confidential documents, allowing the CIA hackers to track insiders and whistleblowers.

Grasshopper – A framework that allowed the CIA to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.

Marble – The source code of a secret anti-forensic framework, primarily an obfuscator or a packer used by the spying agency to hide the actual source of its malware.

Dark Matter – Hacking exploits the agency designed and used to target iPhones and Mac machines.

Weeping Angel – Spying tool used by the CIA to infiltrate smart TV's, transforming them into covert microphones in target's pocket.

WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing a tool suite – which is being used by the CIA for Microsoft Windows that targets "closed networks by air gap jumping using thumb drives," mainly implemented in enterprises and critical infrastructures.

Air-gapped computers that are isolated from the Internet or other external networks are believed to be the most secure computers on the planet have become a regular target in recent years.

Dubbed Brutal Kangaroo (v1.2.1), the tool suit was allegedly designed by the Central Intelligence Agency (CIA) in year 2012 to infiltrate a closed network or air-gapped computer within an organization or enterprise without requiring any direct access.

The previous version of Brutal Kangaroo was named as EZCheese, which was exploiting a vulnerability that was zero-day until March 2015, though the newer version was using "unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system."

Here's How the Air-Gap Attack Works

Like most air-gapped malware techniques we reported on The Hacker News, this hacking tool first infects an Internet-connected computer within the target organization and then installs the Brutal Kangaroo malware on it.

Even if it's hard to reach an Internet-connected PC within the target organisation, they can infect a computer of one of the organisation's employees and then wait for the employee to insert the USB drive into his/her computer.

Now, as soon as a user (the employee of the organisation) inserts a USB stick into the infected computer, Shattered Assurance, a server tool infects the USB drive with a separate malware, called Drifting Deadline (also known as 'Emotional Simian' in the latest version).

The USB drive infects with the help of a flaw in the Microsoft Windows operating system that can be exploited by hand-crafted link files (.lnk) to load and execute programs (DLLs) without user interaction.

"The .lnk file(s) must be viewed in windows explorer, and the tool will be auto-executed without any further input." the manual says.

When the infected USB drive is used to share data with air-gapped computers, the malware spreads itself to those systems as well.

"If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked," WikiLeaks said.

Since March, the whistleblowing group has published 12 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

Pandemic– a CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.

Athena – a spyware framework that has been designed to take full control over Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.

AfterMidnight and Assassin – Two apparent CIA malware frameworks for the Windows platform that has been designed to monitor and report back activities of the infected remote host computer and execute malicious actions.

Archimedes – Man-in-the-Middle attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).

Scribbles – Software reportedly designed to embed 'web beacons' into confidential files and documents, allowing the agency to track whistleblowers and insiders.

Grasshopper – A framework which allowed the agency to easily create custom malware for breaking into Windows operating system and bypassing antivirus protection.

Marble– The source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the spying agency to hide the actual source of its malware.

Dark Matter– Revealed hacking exploits the CIA designed to target iPhones and Macs.

Weeping Angel– A spying tool used by the CIA to infiltrate smart TV's and then transform them into covert microphones.

Year Zero– Disclosed several CIA hacking exploits for popular hardware and software.

WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing a framework – which is being used by the CIA for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.

Dubbed "Cherry Blossom," the framework was allegedly designed by the Central Intelligence Agency (CIA) with the help of Stanford Research Institute (SRI International), an American nonprofit research institute, as part of its ‘Cherry Bomb’ project.

"An implanted device [called Flytrap] can then be used to monitor the internet activity of and deliver software exploits to targets of interest." a leaked CIA manual reads.

"The wireless device itself is compromised by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection," WikiLeaks says.

According to Wikileaks, CIA hackers use Cherry Blossom hacking tool to hijack wireless networking devices on the targeted networks and then perform man-in-the-middle attacks to monitor and manipulate the Internet traffic of connected users.

Once it takes full control on the wireless device, it reports back to CIA controlled command-and-control server referred as 'CherryTree,' from where it receives instructions and accordingly perform malicious tasks, which include:

Injecting malicious content into the data stream to fraudulently deliver malware and compromise the connected systems

Setting up VPN tunnels to access clients connected to Flytrap's WLAN/LAN for further exploitation

Copying of the full network traffic of a targeted device

According to an installation guide, the CherryTree C&C server must be located in a secure sponsored facility and installed on Dell PowerEdge 1850 powered virtual servers, running Red Hat Fedora 9, with at least 4GB of RAM.

Cherry Blossom Hacks Wi-Fi Devices from Wide-Range of Vendors

Cherry Blossom can exploit vulnerabilities in hundreds of Wi-Fi devices (full list here) manufactured by the following vendors:

Previous Vault 7 CIA Leaks

Last week, WikiLeaks dumped an alleged CIA project, dubbed Pandemic, that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.

The tool is a persistent implant for Microsoft Windows machines that has been designed to infect networks of Windows computers through the Server Message Block (SMB) file sharing protocol by replacing application code on-the-fly with a trojanized version of the software.

Since March, the whistleblowing group has published 11 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

Athena – a CIA's spyware framework that has been designed to take full control over the infected Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.

AfterMidnight and Assassin – two apparent CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.

Archimedes– a man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).

Scribbles– a piece of software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers.

Grasshopper– reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.

Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.

Dark Matter– focused on hacking exploits the agency designed to target iPhones and Macs.

Weeping Angel– spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.

Year Zero– dumped CIA hacking exploits for popular hardware and software.

Security researchers have confirmed that the alleged CIA hacking tools recently exposed by WikiLeaks have been used against at least 40 governments and private organizations across 16 countries.

Since March, as part of its "Vault 7" series, Wikileaks has published over 8,761 documents and other confidential information that the whistleblower group claims came from the US Central Intelligence Agency (CIA).

Now, researchers at cybersecurity company Symantec reportedly managed to link those CIA hacking tools to numerous real cyber attacks in recent years that have been carried out against the government and private sectors across the world.

Those 40 cyber attacks were conducted by Longhorn — a North American hacking group that has been active since at least 2011 and has used backdoor trojans and zero-day attacks to target government, financial, energy, telecommunications, education, aerospace, and natural resources sectors.

Although the group's targets were all in the Middle East, Europe, Asia, and Africa, researchers said the group once infected a computer in the United States, but an uninstaller was launched within an hour, which indicates the "victim was infected unintentionally."

What's interesting is that Symantec linked some of CIA hacking tools and malware variants disclosed by Wikileaks in the Vault 7 files to Longhorn cyber espionage operations.

Fluxwire (Created by CIA) ≅ Corentry (Created by Longhorn)

Fluxwire, a cyber espionage malware allegedly created by the CIA and mentioned in the Vault 7 documents, contains a changelog of dates for when new features were added, which according to Symantec, closely resemble with the development cycle of "Corentry," a malware created by Longhorn hacking group.

"Early versions of Corentry seen by Symantec contained a reference to the file path for the Fluxwire program database (PDB) file," Symantec explains. "The Vault 7 document lists removal of the full path for the PDB as one of the changes implemented in Version 3.5.0."

"Up until 2014, versions of Corentry were compiled using GCC [GNU Compiler Collection]. According to the Vault 7 document, Fluxwire switched to an MSVC compiler for version 3.3.0 on February 25, 2015. This was reflected in samples of Corentry, where a version compiled on February 25, 2015, had used MSVC as a compiler."

Similar Malware Modules

Another Vault 7 document details 'Fire and Forget' specification of the payload and a malware module loader called Archangel, which Symantec claims, match almost perfectly with a Longhorn backdoor called Plexor.

"The specification of the payload and the interface used to load it was closely matched in another Longhorn tool called Backdoor.Plexor," says Symantec.

Use of Similar Cryptographic Protocol Practices

Another leaked CIA document outlined cryptographic protocols that should be used within malware tools, such as using AES encryption with a 32-bit key, inner cryptography within SSL to prevent man-in-the-middle attacks, and key exchanges once per connection.

One leaked CIA document also recommends using of in-memory string de-obfuscation and Real-time Transport Protocol (RTP) for communicating with the command and control (C&C) servers.

According to Symantec, these cryptographic protocol and communication practices were also used by Longhorn group in all of its hacking tools.

More About LongHorn Hacking Group

Longhorn has been described as a well-resourced hacking group that works on a standard Monday to Friday working week — likely a behavior of a state-sponsored group — and operates in an American time zone.

Longhorn's advanced malware tools are specially designed for cyber espionage with detailed system fingerprinting, discovery, and exfiltration capabilities. The group uses extremely stealthy capabilities in its malware to avoid detection.

Symantec analysis of the group's activities also shows that Longhorn is from an English speaking North American country with code words used by it referring, the band The Police with code words REDLIGHT and ROXANNE, and colloquial terms like "scoobysnack."

Overall, the functionality described in the CIA documents and its links to the group activities leave "little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group."

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

As part of its Vault 7 series of leaked documents, whistleblowing website WikiLeaks today released a new cache of 27 documents allegedly belonged to the US Central Intelligence Agency (CIA).

Named Grasshopper, the latest batch reveals a CLI-based framework developed by the CIA to build "customised malware" payloads for breaking into Microsoft's Windows operating systems and bypassing antivirus protection.

All the leaked documents are basically a user manual that the agency flagged as "secret" and that are supposed to be only accessed by the members of the agency, WikiLeaks claims.

Grasshopper: Customized Malware Builder Framework

According to the leaked documents, Grasshopper framework allows the agency members to easily create custom malware, depending upon the technical details, such as what operating system and antivirus the targets are using.

The Grasshopper framework then automatically puts together several components sufficient for attacking the target, and finally, delivers a Windows installer that the agency members can run on a target's computer and install their custom malware payloads.

"A Grasshopper executable contains one or more installers. An installer is a stack of one or more installer components," the documentation reads. "Grasshopper invokes each component of the stack in series to operate on a payload. The ultimate purpose of an installer is to persist a payload."

The whistleblowing website claimed the Grasshopper toolset was allegedly designed to go undetected even from the anti-virus products from the world's leading vendors including Kaspersky Lab, Symantec, and Microsoft.

CIA's Grasshopper Uses 'Stolen' Russian Malware

According to WikiLeaks, the CIA created the Grasshopper framework as a modern cyber-espionage solution not only to be as easy to use as possible but also "to maintain persistence over infected Microsoft Windows computers."

"Grasshopper allows tools to be installed using a variety of persistence mechanisms and modified using a variety of extensions (like encryption)," Wikileaks said in the press release.

One of the so-called persistence mechanisms linked to Grasshopper is called Stolen Goods (Version 2), which shows how the CIA adapted known malware developed by cyber criminals across the world and modified it for its own uses.

One such malware is "Carberp," which is a malware rootkit developed by Russian hackers.

"The persistence method and parts of the installer were taken and modified to fit our needs," the leaked document noted. "A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified."

It is not yet clear how recently the CIA has used the hacking tools mentioned in the documentation, but WikiLeaks says the tools were used between 2012 and 2015.

So far, Wikileaks has revealed the "Year Zero" batch which uncovered CIA hacking exploits for popular hardware and software, the "Dark Matter" batch which focused on exploits and hacking techniques the agency designed to target iPhones and Macs, and the third batch called "Marble."

Marble revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.

As part of its "Vault 7" series, Wikileaks — the popular whistle-blowing platform — has just released another batch of classified documents focused on exploits and hacking techniques the Central Intelligence Agency (CIA) designed to target Apple MacOS and iOS devices.

Dubbed "Dark Matter," the leak uncovers macOS vulnerabilities and attack vectors developed by a special division of the CIA called Embedded Development Branch (EDB) – the same branch that created ‘Weeping Angel’ attack – and focused specifically on hacking Mac and iOS firmware.

CIA Infects Apple Devices With Unremovable Malware

The newly released documents revealed that CIA had also been targeting the iPhone since 2008.

The Agency has created a malware that is specially designed to infect Apple firmware in a way that the infection remains active on MacOS and iOS devices even if the operating system has been re-installed.

According to Wikileaks, the released documents also gives a clear insight into "the techniques used by the CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware."

The 'Sonic Screwdriver' Hacking Tool

One of the documents, which is dated November 2012, reveals details about the "Sonic Screwdriver" project, which according to the CIA, is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting."

The hacking method described in this documents allows access to a Mac's firmware using an Ethernet adapter that plugged into the computer's Thunderbolt port.

It allows hackers to deliver malware from a peripheral device – such as a USB stick or a external hard drive – "even when a firmware password is enabled" on the device.

"The implanted ethernet adapter needs to be plugged into the Thunderbolt port when the computer is powered on in order for code to be executed. If the adapter is plugged it after the machine is powered on, no implant code will be executed." document explains.

The NightSkies iPhone Implants

Another document in the latest release consists of a manual for the CIA's "NightSkies 1.2," which is described as a "beacon/loader/implant tool" for the Apple iPhone.

"COG has the opportunity to gift a MacBook Air to a target that will be implanted with this tool. The tool will be a beacon/implant that runs in the background of a MacBook Air that provides us with command and control capabilities. The implant will beacon periodically. This beacon must be persistent in the MacBook Air, and must leave a minimal on-disc footprint." document says.

What's noteworthy is that the first version of this iPhone hacking tool is operational since 2007, which has expressly been designed to infect "factory fresh" iPhones in the supply chain, WikiLeaks stated in a press release.

"While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise," says WikiLeaks.

CIA's Dark Matter leak is the second batch of Vault 7 released by WikiLeaks, after the whistleblower organization released the first part of an unprecedentedly large archive of CIA-related classified documents on March 7.

Previously published Vault 7 leak outlined a broad range of security bugs in software and devices, including iPhones, Android phones, and Samsung TVs, which millions of people around the world rely on, to intercept communications and spy on its targets.

Expect to see more revelations about the government and Intelligence agencies from the WikiLeaks in coming days as part of its Year Zero series.